Information within organizations and entities is often classified as sensitive either for business reasons or for legal reasons. This information may reside within text files, databases, images, pictures, messages, etc. In addition to the potential threat of an unscrupulous party illegally accessing the organization from the outside via an electronic network, and then removing or disrupting the information, there exists the risk of intentional or inadvertent transmission of the sensitive information from inside the organization to the outside. For example, a disgruntled employee might send a sensitive data file to which he or she has access to an outside party via e-mail, thus causing harm to the organization.
In addition to simple business reasons for not wanting sensitive information to be released, i.e., the desire to keep trade secrets secret, many new government regulations mandate controls over information (requiring the sensitive information not to be released outside the company) and companies must comply in view of significant penalties. For example, HIPAA regulates health information, BASEL II regulates financial information, Sarbanes-Oxley regulates corporate governance, and a large number of states have passed data privacy laws requiring organizations to notify consumers if their information is released. Companies are even subject to a regular information technology audit which they can fail if they do not employ suitable controls and standards. Companies today are struggling to determine where their most sensitive information is stored, how it is being used, who has access to it and how to prevent it from being lost or compromised.
Technology companies have reacted to this environment with a host of data leakage prevention (DLP) products. These products are typically hardware/software platforms that monitor and prevent sensitive information from being leaked outside the company, and automatically enforce data protection policies. These DLP products are also known as data loss prevention, information leak prevention, etc. Gateway-based DLP products are typically installed at the company's Internet network connection and analyze outgoing network traffic for unauthorized transmission of sensitive information. These products typically generate a unique signature of the sensitive information when stored within the company, and then look for these signatures as information passes out over the network boundary, searching for the signatures of the sensitive information. Host-based DLP products typically run on end-user workstations within the organization. These products can address internal as well as external release of information and can also control information flow between groups of users within an organization. These products can also monitor electronic mail and instant messaging communications and block them before they are sent.
The traditional way to implement data leakage prevention is to define a global data signature database in a software product such as a “Data Leakage Prevention Enforcer” which is a control center that defines prevention policies, audits data leakage, and analyzes results. The signature of each data item is typically computed by an algorithm using the data item. Each signature typically occupies about 64 bytes on disk. Considering an organization that might need to protect one million files, the DLP global signature database would occupy about 64 Mbytes on disk. This storage required for the global database could scale to an even greater number with any enlargement of the scope of leakage prevention required. For desktop computers and laptop computers this storage requirement is acceptable since they typically have enough capacity and processing capability to bear the load.
But, mobile computing devices (such as mobile telephones, notebook computers, personal digital assistants, etc.) often have very limited resources (i.e., their memory capacity is often less than 1 MByte) and the capacity of their file systems is also limited. In addition, some mobile devices do not support floating point computation, and their processing speed can be more than 1,000 times slower compared with an ordinary desktop computer. It can be almost an impossible task to load the traditional global DLP signature database into these resource-limited devices, let alone execute the DLP product successfully upon the device. As more and more mobile devices connect to enterprise networks and are allowed access to sensitive files, it will be important to prevent data leakage from these devices.
Therefore, it would be desirable to have an improved apparatus and technique for preventing data leakage from resource-limited computing devices such as mobile telephones, etc.